Skillv1.0.0

ClawScan security

REAL 人格测试 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 6:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s requested actions (deep scraping of logged‑in social accounts via a browser bridge) match its description, but it relies on hidden/undeclared credentials, asks the agent to run large unmodified JS payloads in your browser (with access to cookies), and recommends pulling code from external repos — these gaps and the insistence on “do not modify” scripts are disproportionate and worth caution.
Guidance: This skill performs deep scraping of your logged‑in social accounts by running JavaScript inside your browser and using a browser bridge (ManoBrowser). Before installing: 1) Understand it requires a ManoBrowser MCP endpoint and API key (not declared in the registry) — don’t paste keys into tools/configs unless you trust the repo and operator. 2) Review the JS extraction scripts and the ManoBrowser extension source yourself — the skill insists you execute their scripts unmodified, which could be abused to exfiltrate data. 3) If you decide to try it, test with non‑sensitive accounts or a disposable profile first and inspect network traffic (where possible). 4) Prefer manual audit of any cloned GitHub code and the ManoBrowser extension; avoid providing credentials to unknown endpoints. 5) Be aware the skill will access cookies, likes/saves/follows and other private behavior — only proceed if you accept that privacy tradeoff.

Review Dimensions

Purpose & Capability: noteThe skill claims to scan social accounts and indeed includes detailed browser JS workflows for B站/微博/抖音/小红书/豆瓣/Bilibili etc., which is coherent with the described purpose. However the skill implicitly requires a ManoBrowser MCP endpoint and API key (to control a logged‑in Chrome instance) yet the registry metadata lists no required env vars/credentials — a mismatch between claimed dependencies and declared requirements.
Instruction Scope: concernRuntime instructions instruct the agent to execute large, exact JS scripts inside a logged‑in browser (chrome_execute_script) that use fetch({credentials:'include'}), XHR interception, opening/closing tabs, and extracting private behaviors (likes/saves/follows). They also instruct reading local skill files and .mcp.json to find ManoBrowser configuration. These steps access user cookies, session data and other local config and demand the exact, unmodified execution of the included scripts — which gives the skill broad discretion to collect very sensitive personal data and to run arbitrary JS with the browser's authenticated privileges.
Install Mechanism: noteThere is no formal install spec (instruction-only), lowering install risk. But the SKILL.md recommends git cloning external repos (ClawCap/REAL and ClawCap/ManoBrowser) and installing a ManoBrowser Chrome extension. Pulling runtime code from GitHub and relying on a browser extension for privileged access is a moderate risk and should be audited before use. The included check script (check_manobrowser.sh) uses curl to check an endpoint — benign in itself but demonstrates interactions with an external MCP endpoint.
Credentials: concernThe skill needs access to a logged‑in browser (cookies) and a ManoBrowser MCP endpoint/API key to operate, but these credentials are not declared in requires.env or primaryEnv. The skill instructs users to put Endpoint/API Key into TOOLS.md or TOOLS configuration, which is effectively requesting secrets without declaring them — disproportionate and a transparency problem. It also reads local files (manobrowser/SKILL.md, ~/.openclaw/skills/ etc.) which is more than a simple API key check.
Persistence & Privilege: okalways:false and no requested permanent presence. The skill reads other skill files and local config to discover ManoBrowser, but it does not declare that it will modify other skills or persist itself system‑wide. Autonomous invocation is enabled but not combined here with other escalated privileges.